Cybersecurity Risk Management and Strategy The security of our products, services and company networks is our top priority. We recognize the importance of assessing, identifying and managing significant risks associated with cybersecurity threats. These risks include operational risks, intellectual property infringement, fraud, extortion, damage caused to employees, customers, business partners or the public, violations of privacy or security laws and other litigation and legal risks and reputational risks. We attach great importance to our customer data and have implemented cybersecurity policies throughout our operations, including standardizing product quality through security reviews before prioritizing cybersecurity into design throughout the product and service lifecycle. Security departments combine external research and intelligence gathering to keep the company informed of new and evolving cyber risks. We have implemented various cybersecurity processes, technologies and controls to help us assess, identify and manage significant risks imposed by cybersecurity threats and to protect, detect and respond to cybersecurity incidents. The measures we have taken include: | ● | The formation of an Information Security Committee principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents. |
| ● | The security department implements cybersecurity policies based on the company’s development needs and legal requirements. These policies include, but not limited to, the Information Security Management Strategy, Risk Assessment Management Measures, Network Security Management Measures, and Network and Information Security Incident Emergency Response Process and Plans. |
| ● | All company employees are required to complete annual comprehensive information security trainings, and R&D personnels are required to complete annual security coding training. Monthly information security tips are sent to all employees via email and instant messaging tools, which includes highlighted specific threats and scenarios identified based on our analysis of current organizational risks. |
| ● | The security department establishes a standardized security operation system, which includes monitoring the security of host systems through intrusion detection systems and file change management systems. Automated black-box vulnerability scanning and white-box code scanning are conducted through scanning softwares. Advanced web application firewalls are employed to block attacks. Alerts are identified and addressed on a daily basis. |
| ● | Every year, based on our network security incident response plan, we strengthen internal cross-functional coordination and implement security incident drills to strengthen security incident management; and the DBA (“Database Administrator”) and operation and maintenance teams regularly perform disaster recovery drills. |
| ● | The security department conducts an annual assessment of information security risks and notifies the Information Security Committee. External consultants are hired to conduct regular penetration testing and participate in red teaming exercises. The security department drives the closure of internal risk-related issues. |
These measures demonstrate our commitment to ensuring the security of our products, services, and company networks, as well as protecting the confidentiality, integrity, and availability of our customer data. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 3. Key Information—D. Risk Factors — Risks Relating to Our Business — Cybersecurity incidents, including data security breaches or computer viruses, could harm our business by disrupting our delivery of services, damaging our reputation or exposing us to liability.”
|